The firewall itself will source its queries from the OpenVPN tunnel network IP address, not from an IP address in the LAN on its side. So you need to take that into account when crafting firewall rules, DNS server ACLs, and so on.

Thank-you! The light bulb above my head just turned on as that perfectly explains the behavior I am seeing. Is there a workaround? So pfS on the other side can communicate back because it has routes for the tunnel network, but the DNS server on the other side can't because it doesn't have routes for the tunnel network? (The DNS server uses another router as it's default gateway.)

You could do some outbound NAT on the OpenVPN connection to nudge that, but you're better off letting it route naturally if you can. Maybe add a route to the DNS server's gateway nudging that traffic back toward pfSense.